Psoriasis Study of Health Outcomes

An International Observational Study of 3 Year Health Outcomes in the Biological Treatment of Moderate to Severe Plaque Psoriasis

NESS Privacy Policy

This is the New England Survey Systems, Inc. (hereafter referred to as "NESS") Privacy Policy for Personal Information and/or Personal Data entered by users of NESS software.1 NESS provides solutions for our clients for processing and storing data in support of clinical trials and medical studies. NESS clients determine what data to collect with the NESS solutions. Such data may include personal information about their authorized users, employees, and clinical trial patients. Only as instructed by our clients, NESS processes and provides access to this data. NESS does not "control" or own such personal data.

Prior to any study deployment, all data that is requested to be collected by our client or customer relating to a natural person who may be identified either directly or indirectly must be classified as personal data. Such "personal data" classification is the responsibility of Eli Lilly and Company and its authorized representatives (hereafter referred to as "the client" or the "data Controller").

Once identified by the client, access to such personal data that is processed by NESS is under strict access control rules, expressly dictated by the client, and implemented by NESS. Those data points identified by the client as personal information will be logically segregated from non-personal information. Access to personal information is defined by the NESS client (the "data Controller").

Data sets and Data points on any forms with such personal data will default to the word "Redacted" or other artificial/pseudonymized2 data; the only exceptions being those entities authorized by the client to access such personal data. Access to identified personal data is restricted solely as instructed by the client.

The purpose of this Privacy Policy is to provide an overall structure for embracing the goals and procedures to maintain the privacy of individuals interacting with NESS NEForm applications and externally-facing websites.

Applicable Regulations. The NESS Privacy Program adheres to the Privacy Shield Principles, addresses NESS compliance with the US Health Insurance Portability and Accountability Act (HIPAA) privacy rule; and with respect to data collected in the EU, the European Union General Data Protection Regulation (GDPR) (2016/679), and effective 25 May 2018.

A Data Controller determines the purpose and means of the processing of personal data. The client contracting with NESS for NEForm applications is the Data Controller.

Data NESS collects

NESS collects personal data from the NESS public websites (NESS website www.neform.com is accessible outside of the NESS firewall). NESS may passively collect personal data such as IP addresses, log files, or cookies through the external facing website. NESS may also collect personal data, such as email addresses, health information, given voluntarily by individuals contacting NESS through the external facing website.

The www.neform.com website is not intended for use by minors. NESS does not knowingly collect personal information of minors via www.neform.com.

Applicable Law

Except with regard to personal data collected in the EU and Switzerland, this Privacy Policy covering individuals who use NESS solutions will be construed under the laws of the State of Massachusetts, USA, without giving effect to any conflict of law provisions. Submission of any disputes not involving the personal data of EU or Swiss individuals, will be to the state and federal courts located in Boston, Massachusetts, USA. See our Privacy Shield notice below.

______________________________________________________________________________
(1)The terms "Personal information" and "Personal Data" will be used interchangeably in this document
(2)Personal data that can no longer be attributed to a specific data subject without the use of additional information, that additional information being kept separately and securely.

Scope

This Policy is explicitly applicable to, but not limited to, Clinical Trial Privacy issues. This Policy addresses the procession, use, and retention of Protected Health Information under the US Health Insurance Portability and Accountability Act (HIPAA) privacy rule.

This Policy addresses the processing, use, and retention of personal information collected in the European Union, under the auspices of the GDPR.

NESS does not intend to collect the personal information of minors unless explicitly required by a client and only if the process comports to this privacy policy and all relevant regulations.

How we use collected information

NESS commits to protecting the privacy of all users interacting with NESS software products –web-based applications and mobile applications.

This Policy describes the Types and Purposes of personal information NESS collects, how NESS protects that information, and the conditions controlling how the information is shared.

This Policy defines Personal Information as nonpublic information relating to an identified or identifiable living individual.

Personal Information Collection: NESS client-specific applications will provide clear and conspicuous notice regarding the uses of personal information collected directly from individuals, such as through a registration process or a webpage.

Personal Information Processing: In the course of using a NESS client-specific application, a user may be requested to provide personal information. Personal information may include but is not limited to the following:

Contact information: As part of the registration process, a user may provide their name, date of birth, mailing address and email address, and phone number.

Other Information Processing: Through the use of NESS application, other personal information (i.e. health information) is collected. Other information which does not reveal an individual's specific identity or does not directly relate to an individual may be processed (analyzed for reports). Other information may include but is not limited to:

Internet Protocol (IP) address: An IP address may be collected from a user of NESS NEForm applications. The IP address may be used to monitor activities such as location.

Combined Information: If there are any instances where NESS combines Other Information with Personal information, such as combining a precise geographical location with an individual's name, the combined information becomes Personal Information and is treated as Personal Information. This is done at the discretion of the data Controller (NESS's client).

Personal Information Sharing and Use: The personal information processed by NESS may be used to contact an individual:

  • In connection with the NESS application registration
  • To respond to their comments, questions, concerns, and suggestions
  • As specified by the terms of NESS's contracts with the data Controller.

NESS processes and retains personal information only as explicitly directed by the data Controller (NESS's client). NESS keeps personal data in accordance with our agreement with the data controller and applicable law. NESS does not own the personal information processed by NESS client-specific applications.

NESS will immediately inform the Client (data Controller), in writing:

  • Of any request for access to any Personal Information received by NESS from an individual who is (or claims to be) the subject of the data, or a request from such individual to cease or not begin Processing, or to rectify, block, erase or destroy any such Personal Information;
  • Of any request for access to any Personal Information received by NESS from any government official (including any data protection agency or law enforcement agency), or a request from such government official to cease or not begin processing, or to rectify, block, erase or destroy any such Personal Information;
  • Of any inquiry, claim or complaint regarding the processing of the Personal Information received by NESS;
  • Of any other requests with respect to Personal Information received from the client's employees or other third parties, other than those set forth in the agreement or a request to cease or not begin processing, or to rectify, block, erase or destroy any such Personal Information.
  • NESS will not respond to those requests unless explicitly authorized in writing by the Client.

Information Access, Revision and Opting Out:

An individual may choose to 'opt out' of receiving communication from NESS and/or request removal of their contact information. An individual with issues about access, correction, amendment, deletion or restriction of use of personal information must direct those concerns to NESS who in turn seeks authorization to take appropriate action from the data Controller (NESS's client). NESS reserves the right to retain and disclose an individual's information for a time period of up to 15 years as permitted or required by law or regulation. If you have any questions regarding this Privacy Policy, please contact dataprivacy@nesurv.com.

For EU and Swiss Individuals: Privacy Shield Notice for Personal Data Transfers to the United States

Any Personal Information collected about EEA or Swiss individuals via NEForm applications are processed in the United States by NESS.

NESS complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield. NESS has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, NESS is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to dataprivacy@nesurv.com. If requested to remove data, we will respond within a reasonable timeframe.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

NESS's accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, If NESS was to transfer personal data to third parties, NESS remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless NESS proves that it is not responsible for the event giving rise to the damage.

In compliance with the Privacy Shield Principles, NESS commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact NESS by email at dataprivacy@nesurv.com.

NESS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction

Personal Information Transfer:

The data Controller (NESS Client) is responsible for complying with laws and regulations regarding notice, disclosure and/or obtaining prior consent prior to transferring personal information to NESS for processing. NESS transfers personal information only as directed by the data Controller (NESS Client).

Choice and Consent:

An individual providing NESS with their information, chooses to consent and agree to the terms of this Privacy Policy. NESS applications are hosted in the United States and in Frankfort, Germany. You do not have to share your information with us, but if you choose not to share your information, we will not be able to use the NESS application.

Security:

NESS makes every effort to ensure the integrity and confidentiality of personal information under NESS's control and uses state-of the art security procedures to protect personal information throughout its lifecycle. NESS uses physical, electronic and administrative procedures to safeguard an individual's personal information from unauthorized destruction, alteration, disclosure, or access and to protect personal information from loss or misuse.

Breach Notification

In the unlikely event that an individual's personal information is acquired (or is reasonably believed to have been acquired) by an unauthorized person, we will take appropriate steps as required by applicable law, –If applicable- NESS will determine the scope of the data breach, and will investigate and restore the integrity of the NESS data system

Changes to This Privacy Policy

NESS reserves the right to change this Privacy Policy at any time by posting a new privacy policy at this location; NESS will provide notification of any material changes through our Sites at least thirty (30) business days prior to the change taking effect. Therefore, you are responsible for periodically checking our Privacy Policy for changes.

Contact us

Individuals whose personal data NESS processes have the right to access, correct or delete their personal data.

There may be limitations on our ability to comply with your request.

You may contact us at dataprivacy@nesurv.com or by mail at:

NESS
1415 Beacon Street,
Brookline, MA 02446 USA
Attn: Data Protection Officer

If you are not satisfied with our response or believe that we are not processing your information in accordance with the law, you can register a complaint with a Data Protection Authority (DPA).